Data is a crucial resource of any organization, and if it is lost,
compromised, or stolen, the effects on the business can be devastating.
You need to have systems in place to protect data — whether at rest or in
transit — from unauthorized access.
Data at rest is stored physically, for example, in a database, data
warehouse, tapes, off-site backups, or on mobile devices. Organizations can
use encryption to fight threats to their data at rest. Encrypting data
protects information from disclosure even if that information is lost or
Data that is moving from one place to another — for instance when it is
transmitted over the Internet—is referred to as data in transit or data in
motion. Encryption methods like HTTPS, SSL, and TLS are often used to
protect data in motion.
In this document, we show you a solution-oriented approach to protect your data — whether your data is at rest or in transit. This approach covers how to encrypt data at rest (files, objects, storage) and in motion, as well as solutions to monitor data activity to verify and audit data that is outsourced to the cloud.Key components of data security that you should account for in your cloud solution include:
- Data protection
- Data integrity
- Data classification and data activity monitoring
- Data privacy and regulations
A data protection solution for your cloud environment should offer data
encryption, data access control, key management, and certification
To create secure data protection, you need to consider the following
options that are available to customers and users:
- Data-at-rest encryption in IBM® Cloud®
- Block and file storage encryption services using IBM Cloud Data Encryption Services
- IBM Key Protect
- Object store encryption using IBM® Cleversafe®
- Cloud data services encryption
- Certificate management
For each of these options, you need to define processes, controls, and
policies for how to implement them.
Data encryption and key
First, let’s look at IBM Cloud’s capabilities for encrypting data at rest.
Customers should be able to encrypt their data stored in IBM Cloud and
manage their own keys – across all supported data and storage
IBM Cloud solutions offer key management capabilities and support for file,
block, object store, and database-level encryption. As part of key
management, we will describe support for hardware security modules (HSM)
for greater security.
Figure 1 shows IBM Cloud’s encryption capabilities for data at rest.
When creating a cloud solution with strict data security, you should
consider the following:
- The type of data that a customer uses determines their encryption
- Different data storage types, including files, objects, databases,
data services, and block
- Key management – and especially customer-managed keys and hardware key
To address a wide range of application and business requirements, IBM Cloud
provides multiple options for encrypting data at rest. We provide
encryption for block and file storage, encryption at the object level,
encryption data services, and key management.
Figure 2 shows the different options:
IBM Cloud Data Encryption
IBM Cloud Data Encryption Services (ICDES) is a software-defined data
protection solution that can be run in any public or private data center.
ICDES is included in IBM SoftLayer®, IBM’s Infrastructure as a Service
ICDES provide data-storage encryption capabilities with
availability and fault tolerance to meet enterprise encryption
requirements for data at rest. This solution can be used in a public,
private, hybrid, or on-premises cloud environments.
- Built-in key management: A built-in key management system eliminates the need for expensive bulk key storage systems and allows for the enhanced security of unique encryption keys at the granularity of a file. With ICDES, you determine what folders or files to protect (encrypt) and your desired level of resiliency. With the VMware version, you can create a secure data store with vCenter access.
- Ease of use:ICDES bring together a unique combination of random cryptographic-splitting and data encryption into an easy-to-use, FIPS 140-2 certified solution. It supports regulatory compliance for HIPAA, FISMA, Sarbanes-Oxley, EUDPD, and PCI.
- Speed and performance: ICDES software works at the kernel level of the server on which it is deployed. Additionally, it takes full advantage of the AES-NI hardware acceleration that is available in most new processors. So, compared to encryption solutions that work at the non-kernel level of a server, ICDES performance is exceptionally better.
- Permissions support: ICDES works seamlessly with the existing authentication and authorization system in place. It works seamlessly with Active Directory and LDAP. So,user permissions and access methods and policies remain the same when ICDES is set up. ICDES has local user authentication for administrators.
- Disaster recovery: ICDES supports disaster recovery. It allows data to be split across data centers in different geographies. So, if a data center is lost due to a disaster, the data can still be accessed.
IBM Key Protect
In IBM® Bluemix® Public environments, Key Management Services are provided by a
component called IBM Key Protect. This component is a cloud-based,
multi-tenant key management service that gives the customers ownership of
the encryption process in their environment. Key Protect is based on OpenStack Barbican, which provides a REST API for secure storage, provisioning and management of cryptographic keys, X.509 certificates and passwords.
IBM Key Protect enables customers to encrypt sensitive data at rest and
easily create and manage the entire lifecycle of cryptographic keys that
are used to encrypt data. Encrypting data enables customers to store their
data in the cloud and protect it from theft and compromise. Since the keys
remain in possession of the customer, the data is protected from cloud
service providers as well as from other users.
Cloud-based hardware security
The solution provides cloud-based hardware security modules (HSM). The
comprehensive key management solution is standards-based and enables
customers to meet regulatory requirements and data security
In this context, a user’s secret key is encrypted with the HSM’s encryption
key (wrapped). The user’s secret key never leaves the HSM, while the
encrypted version of this secret key is retained outside the HSM by the
user and is an index to the actual secret key in the HSM. When a user
needs to perform a cryptographic operation using this key, the encrypted
version of the key is used to refer to the actual secret key stored in the
HSM where all the cryptographic operations are performed.
In this way, a user’s secret key never leaves the HSM. The HSMs are
certified to FIPS 140-2 level 2. Once keys are deleted, they cannot be
recovered, and any data encrypted using these keys can no longer be
How Key Protect works
IBM Key Protect provides an API so customers can programmatically integrate
their applications with the component. The API is for general use and does
not require specialized skills to use.
Mutual authentication and Transport Layer Security (TLS) secure API calls.
With IBM Key Protect, you can create keys for your applications from a
user interface as well. You can select the key type, algorithm, and
strength of the key from a drop-down that requires minimal knowledge of
cryptography to use. Alternately, you can import a key that you have
created on your own.
IBM key support is presently available in Bluemix Public. Where a key is created, a service credential is
generated with information to configure your application to communicate
with Keystone and Barbican.
IBM Key Protect currently supports use of the Barbican API only for
/v1/orders and /v1/secrets. Other Barbican capabilities are not supported.
Refer to the Bluemix documentation for more information about Getting Started with Key Protect (Beta).
Object store encryption using
IBM Cleversafe is a cloud platform storage system that can scale to provide
storage for petabytes of data per customer. Cleversafe can be deployed
on-premises, off-premises, or in hybrid cloud environments. Cleversafe
customers have production deployments exceeding 100 petabytes of capacity,
and the ability to scale to exabytes without compromising reliability,
availability, or manageability.
Cleversafe provides built-in encryption of data at rest and in motion. Data
is encrypted in motion using TLS and at rest using Cleversafe SecureSlice
encryption. SecureSlice can be configured to encrypt data using AES or RC4
along with hashing for data integrity.
Cleversafe supports the following combinations of encryption and data
- RC4-128 encryption with MD5-128 Hash for data integrity
- AES-128 encryption with MD5-128 Hash for data integrity
- AES-256 encryption with SHA-256 Hash for data integrity
In addition to encrypting data at rest, for additional security, Cleversafe
ensures that no copy of the data resides in any single disk, node, or
location. For flexible data and management access, Cleversafe supports
multiple authentication methods:
- Username and password (internally managed)
- Active Directory or OpenLDAP server
- S3 Secret Access Key
- OpenStack Keystone Identity Service
- Public Key Infrastructure (PKI) certificate and private key
A user may authenticate using multiple mechanisms from the ones listed
above, for example, a username and password as well as proof of possession of a
private key corresponding to an x509 v3 certificate.
Cloud data services provide managed services for data and analytics. These
data services meet the needs of application developers, data scientists,
and IT architects with data intensive needs. For example, application
developers need database technologies to power their applications, or data
scientists need analytics tools to rapidly analyze data from social media
and spend less time managing the infrastructure for storing the data.
The following IBM products offer cloud data services protection and encryption.
- Cloud Data warehouse
IBM dashDB™ is a cloud data warehouse service and is available in
both Bluemix (public) and Cloudant®. Data at rest in dashDB is encrypted
automatically using Advanced Encryption Standard (AES) in Cipher-Block
Chaining (CBC) mode with a 256-bit key.
Encryption and key management are totally transparent to applications and
schemas. Additionally, the client has the option to indicate, upon
provisioning, the master key rotation period. The default is 90 days, but
the client may choose a different value. The master key rotation is
automatic and transparent.
Database and table-space backup images are automatically compressed and
encrypted. Additionally, backup images are also encrypted using AES in CBC
mode with 256-bit keys.
- Cloudant NoSQL DB
Cloudant is a NoSQL database as a service (DBaaS) that can handle a wide
variety of data types like JSON, full-text, and geospatial. You can mark
all data at rest in a Cloudant cluster to be encrypted by default.
Additionally, encryption at the level of a document can be done at the
Cloudant is available on Bluemix in a shared environment where users are
provided accounts on a shared Cloudant Cluster. Cloudant is also available
in a dedicated environment where a customer can get a dedicated Cloudant
- IBM DB2 on Cloud
IBM DB2® on Cloud has the same security features as on-premises editions of
DB2. It includes in-flight and at rest data encryption and meets ISO
27001, PCI-DSS, SOC2, HIPAA and other data protection standards. So, if
your DB2 instances are in the cloud, you can configure DB2 with data
PostgreSQL provides cryptographic function in a module called pgcrypto that
can be used for data integrity and data encryption. For verifying data
integrity, use pgcrypto hash functions to compute a binary hash of given
data. PostgreSQL supports SHA-256 and SHA-512.
Additionally, in PostgreSQL, you can select to encrypt certain columns in
your database table by using the pgcrypto modules to enable the usage of
the crypt() procedure in the SQL statements. Symmetric and asymmetric key
encryption functions are implemented.
Data integrity refers to maintaining and assuring the accuracy and
consistency of data over its entire lifecycle. Let’s define what we mean
by data integrity. In our context, data integrity refers to protecting
information from outside tampering.
Hashing data allows you to detect that unauthorized modifications have been
made into data. This data protection is provided for data at rest (e.g.,
rows in the tables of a database) or for data in motion. For example, when
data is stored in a database, we can generate a hash for the row of a
table in the database and securely store the hash value. If a row is
tampered with by modifying a field in the row, a comparison with the
previously generated hash value will indicate data has been tampered with.
In the context of databases, data integrity can refer to entity integrity
or referential integrity. Entity integrity relates to primary keys and the
integrity rule that every database table must have a primary key which
should be unique and not null. Referential integrity refers to the
integrity of relationships between database tables when any updates are
made to these tables. Referential integrity involves the concept of a
In the Bluemix catalog, database-related services will have built-in data
In Cleversafe, the following combinations of encryption and data integrity
algorithms are supported:
- RC4-128 encryption with MD5-128 Hash for data integrity
- AES-128 encryption with MD5-128 Hash for data integrity
IBM DB2 in the Cloud has the same enterprise-class data integrity controls
in place as IBM DB2. It provides entity and referential integrity.
Digital certificates are vital to implementing a security environment in
which two parties who need to communicate securely are able to
authenticate identities, send confidential messages to each other, or
generate digital signatures.
To understand digital certificates, you need to understand a few basic
concepts about public key cryptographic systems. In a public key
cryptographic system, a pair of related cryptographic keys are used – one
for encryption and the other for decryption. One key, the private key, is
kept secret and securely in the possession of owner A. The other key, the
public key, is provided to anybody wishing to communicate with owner A.
Public key cryptosystems may be used in one of two modes:
- Encryption mode: Suppose Bob has a public and private
key pair. Anybody wishing to send a confidential message to Bob can
use his public key to encrypt the message. Since only Bob possesses
the corresponding private key, no one other than Bob can decrypt the
- Authentication mode: Bob encrypts a message using his
private key and mails it. Anybody in possession of his public key is
able to decrypt the message. The message in this case is not
confidential since anybody with the public key can decrypt it using
Bob’s public key. However, since only Bob’s public key can be used to
successfully decrypt the message, the recipients can be certain that
the message is from Bob. Bob cannot deny that the message was signed
by him. The authentication mode forms the basis for digital
The public key of a public-private key pair must be made available to other users. This public key is made available in a digitally signed document called a certificate.
A certificate, among other things, contains a user’s name and a user’s public key, digitally signed by a certification authority, which is an entity that issues digital certificates and is part of a certificate management system.
At a high level, a certificate management system provides services for automated certificate management. This includes managing, issuing, and revoking digital certificates for various entities such as users, websites, applications, and devices like servers and mobile devices. Using a cloud-based certificate management system allows businesses to focus on developing their core business applications to meet their customers’ needs.
IBM Bluemix users with a pay-as-you-go or subscription plan are entitled to four free certificate uploads. Bluemix users with a free trial account are entitled to one free certificate upload.
Before you can upload certificates, you must create a certificate-signing request to send to a third-party certification authority, which will issue the certificate. IBM Cloud does not provide a certification authority. Organizations can also generate self-signed certificates for testing.
When ordering certificates from third parties, consider the business context in which the certificate will be used to decide on the level of certification needed for issued certificates. For example, websites that provide e-commerce or financial transactions need the highest level of validation for issued certificates.
Bluemix and IBM SoftLayer gives you the option of ordering domain-validated, organization-validated, or extende- validation certifications from different vendors. In domain-validated certificates, the domain for which the certificate is issued is verified and the certificate is issued through automated processes. No check is made regarding the organization requesting the certificate. These certificates should not be used on a website conducting e-commerce or financial transactions.
In organization-validated certificates, the certificate contains the verified name of the entity that controls the website for which the certificate has been issued. This kind of certificate is recommended for websites conducting e-commerce or financial transactions.
Extended-validation certificates are issued after even more extensive validation and provide a higher level of assurance than organization validated certificates.
Other considerations for the type of certificate to request includes the length of the asymmetric key pair generated for the certificate and the duration for which certificate is valid. You should select 1024 bit or 2048 bit keys, with 2048 bit keys being more secure and being the only option for extended validation certificates. Certificates should be set to expire within a year or two.
classification and data activity monitoring
Data classification and data activity monitoring are two effective methods
to help secure critical information.
Before you can adequately protect sensitive data, you must identify and
classify its existence. Automating the discovery and classification
process is a critical component to a data protection strategy to prevent a
breach of sensitive data. IBM Guardium provides integrated data classification capabilities
and a seamless approach to finding, classifying, and protecting your most
critical data, whether in the cloud or in the data center.
Activity monitoring provides you with visibility into not only who is
accessing sensitive information, but also what information is being
accessed, creating alerts when certain conditions are met, and even
blocking or quarantining connections where warranted.
IBM dashDB, available with both IBM Bluemix and Cloudant, includes Guardium
classification and continuous-monitoring capabilities, and is available
through the dashDB console. Via the console, three reports are available:
- The Sensitive Data Report shows you what sensitive data is in your
database, such as credit card numbers.
- The Database Connections Report gives you details above who is
connecting to and accessing your database.
- The Activity Report gives you a detailed look at the activity in your
database, such as which objects are being accessed.
Data privacy and regulations
Data privacy controls how information (particularly about individuals) is
collected, used, shared, and disposed of, in accordance with policies or
external laws and regulations.
In the European Union and other jurisdictions, data privacy is also known
as data protection. For purposes of this article, we refer to the term as
Technical and organizational security and privacy measures are implemented
for each cloud service in compliance with IBM policy. These measures are
implemented according to the cloud service’s architecture, intended use,
and the type of service provided. The image below shows the general
division of responsibility within each service type.
With IBM cloud services, IBM SoftLayer (IaaS) clients are responsible for the
applications, content, runtimes, middleware, and operating systems they
deploy on the IaaS solution. This includes the implementation and
management of data security and privacy measures that are not physical.
Bluemix (PaaS) clients manage the applications and content they deploy on
the PaaS solution, including the implementation and management of data
security and privacy measures for their applications and data.
SaaS clients continue to manage their end user accounts, appropriate use of
the IBM SaaS offering, and the data they process pursuant to the terms of
the cloud service agreement. Given their own requirements, SaaS clients
are responsible for assessing the suitability of the standard data
security and privacy measures that IBM implements.
IBM’s specific management responsibilities for each cloud service,
regardless of type, are set out in the relevant offering agreement. The
data security and privacy measures designed to, among other things, defend
IBM cloud services against such risks as accidental loss, unauthorized
access, and unauthorized use of client data are incorporated into each
service description, including any configurable options and services that
may be available.
For more information, read the Data Security and Privacy Principles document (PDF), which
describes the overarching IBM policies and practices that are incorporated
into each service description.